Crypto agility

From HandWiki

Crypto-agility ('cryptographic agility') allows an information security system to switch to alternative cryptographic primitives and algorithms without making significant changes to the system's infrastructure. Crypto-agility facilitates system upgrades and evolution.

Crypto-agility can act as a safety measure or an incident response mechanism when the encryption algorithms of a system are discovered to be vulnerable.[1] A security system is considered crypto agile if its encryption algorithms can be replaced with ease and is at least partly automated.[2][3]

Example

The retirement of the X.509 public key certificate illustrates crypto-agility. A public key certificate has cryptographic parameters including key type, key length, and a hash algorithm. X.509 version v.3, with key type RSA, a 1024-bit key length, and the SHA-1 hash algorithm were found by NIST to have a key length that made it vulnerable to attacks, thus prompting the transition to SHA-2.[4]

Importance

Cryptographic techniques are widely incorporated to protect applications and business transactions. Since the 2010s, public key infrastructure (PKI) has been progressively integrated into business applications via public key certificates, which were used as trust foundations between network entities. PKI has better security features than traditional access control mechanisms, which incorporate cryptographic technologies such as digital certificates and signatures.[5] Public key certificates acting as digital credentials are the core component for strong authentication and secure communication between entities through public networks.[6] With a continuing increase in users and threats, crypto-agility has emerged as key for business security 58% of cyber attacks target small business because of their security system vulnerabilities.[7]

Quantum computing is expected to be able to defeat public key cryptography. The latter depends on large integer factorization and discrete logarithm problems that quantum computers can solve exponentially faster than conventional computers.[8] Elliptic curves are one potential solution.[9]

Awareness

System evolution and crypto-agility are not the same. System evolution progresses on the basis of emerging business and technical requirements. Crypto-agility is related instead to computing infrastructure and requires consideration by security experts, system designers and application developers.[10]

Best practices

Best practices about dealing with crypto-agility include:[8]

  • All business applications involving any sort of crypto technology should incorporate the latest algorithms and techniques.
  • Crypto-agility requirements must be disseminated to all hardware, software and service suppliers, who must comply on a timely basis.
  • Suppliers who cannot address these requirements mus be replaced.
  • Suppliers must provide timely updates and identify the crypto technology they employ.
  • RSA should be replaced by quantum-resistant solutions.[9]
  • Symmetric-key algorithm have to be used with long key lengths.
  • Hash algorithms must use high bit sizes.
  • Comply with standards and regulations.[11]

References

  1. Henry, Jasmine. "What is Crypto-Agility?". Cryptomathic. https://www.cryptomathic.com/news-events/blog/what-is-crypto-agility. Retrieved 26 November 2018. 
  2. Patterson, Royal Holloway, University of London, Kenny. "Key Reuse: Theory and Practice (Workshop on Real-World Cryptography)". Stanford University. https://crypto.stanford.edu/RealWorldCrypto/slides/kenny.pdf. Retrieved 26 November 2018. 
  3. Sullivan, Bryan. "Cryptographic Agility". Microsoft Corporation on Blackhat.com. http://media.blackhat.com/bh-us-10/whitepapers/Sullivan/BlackHat-USA-2010-Sullivan-Cryptographic-Agility-wp.pdf. Retrieved 26 November 2018. 
  4. Grimes, Roger A. (2017-07-06). "All you need to know about the move from SHA1 to SHA2 encryption" (in en). https://www.csoonline.com/article/2879073/all-you-need-to-know-about-the-move-from-sha1-to-sha2-encryption.html. 
  5. "Chapter 18. Fundamentals of the Public Key Infrastructure - CCNA Security 640-554 Official Cert Guide [Book"] (in en). https://www.oreilly.com/library/view/ccna-security-640-554/9780132966061/ch18.html. 
  6. "IBM Knowledge Center" (in en-US). https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/publickeycertificates.html. 
  7. Walker, Ivy. "Cybercriminals Have Your Business In Their Crosshairs And Your Employees Are In Cahoots With Them." (in en). https://www.forbes.com/sites/ivywalker/2019/01/31/cybercriminals-have-your-business-their-crosshairs-and-your-employees-are-in-cahoots-with-them/. 
  8. 8.0 8.1 Mehmood, Asim. "What is crypto-agility and how to achieve it?". Utimaco. https://content.hsm.utimaco.com/blog/what-is-crypto-agility-and-how-to-achieve-it. Retrieved 26 November 2018. 
  9. 9.0 9.1 Chen, Lily; Jordan, Stephen; Liu, Yi-Kai; Moody, Dustin; Peralta, Rene; Perlner, Ray; Smith-Tone, Daniel. "Report on Post-Quantum Cryptography (NISTIR 8105)". National Institute of Standards and Technology NIST. https://nvlpubs.nist.gov/nistpubs/ir/2016/nist.ir.8105.pdf. Retrieved 26 November 2018. 
  10. Henry, Jasmine. "3DES is Officially Being Retired". Cryptomathic. https://www.cryptomathic.com/news-events/blog/3des-is-officially-being-retired. Retrieved 26 November 2018. 
  11. Macaulay, Tyson. "Cryptographic Agility in Practice". InfoSec Global. https://uploads-ssl.webflow.com/5bd73d456f7b3f2db2bbbb95/5c76a740dcc2cc4646a06805_ISG_AgilityUseCases_Whitepaper-FINAL.pdf. Retrieved 5 March 2019.